42#include <sys/protosw.h>
43#include <sys/socket.h>
45#include <sys/kernel.h>
47#include <sys/sysctl.h>
48#include <sys/syslog.h>
51#include <net/if_var.h>
52#include <net/if_types.h>
54#include <net/route/route_ctl.h>
55#include <net/route/nhop.h>
75#include <machine/in_cksum.h>
77#include <security/mac/mac_framework.h>
86#define V_icmplim VNET(icmplim)
88 &VNET_NAME(icmplim), 0,
89 "Maximum number of ICMP responses per second");
92#define V_icmplim_output VNET(icmplim_output)
93SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_VNET | CTLFLAG_RW,
94 &VNET_NAME(icmplim_output), 0,
95 "Enable logging of ICMP response rate limiting");
101 icmpstat,
"ICMP statistics (struct icmpstat, netinet/icmp_var.h)");
108#define V_icmpmaskrepl VNET(icmpmaskrepl)
110 &VNET_NAME(icmpmaskrepl), 0,
111 "Reply to ICMP Address Mask Request packets");
114#define V_icmpmaskfake VNET(icmpmaskfake)
115SYSCTL_UINT(_net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_VNET | CTLFLAG_RW,
116 &VNET_NAME(icmpmaskfake), 0,
117 "Fake reply to ICMP Address Mask Request packets");
120#define V_drop_redirect VNET(drop_redirect)
121SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_VNET | CTLFLAG_RW,
122 &VNET_NAME(drop_redirect), 0,
123 "Ignore ICMP redirects");
126#define V_log_redirect VNET(log_redirect)
127SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_VNET | CTLFLAG_RW,
128 &VNET_NAME(log_redirect), 0,
129 "Log ICMP redirects to the console");
132#define V_redirtimeout VNET(redirtimeout)
133SYSCTL_INT(_net_inet_icmp, OID_AUTO, redirtimeout, CTLFLAG_VNET | CTLFLAG_RW,
134 &VNET_NAME(redirtimeout), 0,
135 "Delay in seconds before expiring redirect route");
138#define V_reply_src VNET(reply_src)
139SYSCTL_STRING(_net_inet_icmp, OID_AUTO, reply_src, CTLFLAG_VNET | CTLFLAG_RW,
140 &VNET_NAME(reply_src), IFNAMSIZ,
141 "ICMP reply source for non-local packets");
144#define V_icmp_rfi VNET(icmp_rfi)
145SYSCTL_INT(_net_inet_icmp, OID_AUTO, reply_from_interface, CTLFLAG_VNET | CTLFLAG_RW,
146 &VNET_NAME(icmp_rfi), 0,
147 "ICMP reply from incoming interface for non-local packets");
150#define V_icmp_quotelen VNET(icmp_quotelen)
151SYSCTL_INT(_net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_VNET | CTLFLAG_RW,
152 &VNET_NAME(icmp_quotelen), 0,
153 "Number of bytes from original packet to quote in ICMP reply");
156#define V_icmpbmcastecho VNET(icmpbmcastecho)
157SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_VNET | CTLFLAG_RW,
158 &VNET_NAME(icmpbmcastecho), 0,
159 "Reply to multicast ICMP Echo Request and Timestamp packets");
162#define V_icmptstamprepl VNET(icmptstamprepl)
163SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstamprepl, CTLFLAG_VNET | CTLFLAG_RW,
164 &VNET_NAME(icmptstamprepl), 0,
165 "Respond to ICMP Timestamp packets");
168#define V_error_keeptags VNET(error_keeptags)
169SYSCTL_INT(_net_inet_icmp, OID_AUTO, error_keeptags, CTLFLAG_VNET | CTLFLAG_RW,
170 &VNET_NAME(error_keeptags), 0,
171 "ICMP error response keeps copy of mbuf_tags of original packet");
177static void icmp_reflect(
struct mbuf *);
178static void icmp_send(
struct mbuf *,
struct mbuf *);
179static int icmp_verify_redirect_gateway(
struct sockaddr_in *,
182extern struct protosw
inetsw[];
195 counter_u64_add(VNET(
icmpstat)[statnum], 1);
205 struct ip *oip, *nip;
208 unsigned icmplen, icmpelen, nlen, oiphlen;
210 KASSERT((u_int)type <=
ICMP_MAXTYPE, (
"%s: illegal ICMP type",
222 if (n->m_flags & M_DECRYPTED)
224 if (n->m_flags & (M_BCAST|M_MCAST))
230 oip = mtod(n,
struct ip *);
231 oiphlen = oip->
ip_hl << 2;
236 printf(
"icmp_error(%p, %x, %d)\n", oip, type, code);
242 oiphlen))->icmp_type)) {
252 nlen = m_length(n, NULL);
257 if (oiphlen +
sizeof(
struct tcphdr) > n->m_len &&
260 if (n->m_len < oiphlen +
sizeof(
struct tcphdr) &&
261 (n = m_pullup(n, oiphlen +
sizeof(
struct tcphdr))) == NULL)
263 oip = mtod(n,
struct ip *);
264 th = mtodo(n, oiphlen);
265 tcphlen = th->th_off << 2;
266 if (tcphlen <
sizeof(
struct tcphdr))
268 if (ntohs(oip->
ip_len) < oiphlen + tcphlen)
270 if (oiphlen + tcphlen > n->m_len && n->m_next == NULL)
272 if (n->m_len < oiphlen + tcphlen &&
273 (n = m_pullup(n, oiphlen + tcphlen)) == NULL)
275 oip = mtod(n,
struct ip *);
276 icmpelen = max(tcphlen, min(V_icmp_quotelen,
277 ntohs(oip->
ip_len) - oiphlen));
284 if (oiphlen +
sizeof(
struct sctphdr) > n->m_len &&
287 if (n->m_len < oiphlen +
sizeof(
struct sctphdr) &&
288 (n = m_pullup(n, oiphlen +
sizeof(
struct sctphdr))) == NULL)
290 oip = mtod(n,
struct ip *);
291 icmpelen = max(
sizeof(
struct sctphdr),
292 min(V_icmp_quotelen, ntohs(oip->
ip_len) - oiphlen));
293 sh = mtodo(n, oiphlen);
294 if (ntohl(sh->
v_tag) == 0 &&
295 ntohs(oip->
ip_len) >= oiphlen +
297 (n->m_len >= oiphlen +
sizeof(
struct sctphdr) + 8 ||
298 n->m_next != NULL)) {
299 if (n->m_len < oiphlen +
sizeof(
struct sctphdr) + 8 &&
300 (n = m_pullup(n, oiphlen +
301 sizeof(
struct sctphdr) + 8)) == NULL)
303 oip = mtod(n,
struct ip *);
304 sh = mtodo(n, oiphlen);
307 icmpelen = max(
sizeof(
struct sctphdr) + 8,
308 min(V_icmp_quotelen, ntohs(oip->
ip_len) -
313stdreply: icmpelen = max(8, min(V_icmp_quotelen, ntohs(oip->
ip_len) -
316 icmplen = min(oiphlen + icmpelen, nlen);
317 if (icmplen <
sizeof(
struct ip))
321 m = m_gethdr(M_NOWAIT, MT_DATA);
323 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
327 mac_netinet_icmp_reply(n, m);
329 icmplen = min(icmplen, M_TRAILINGSPACE(m) -
332 m->m_data +=
sizeof(
struct ip);
338 M_SETFIB(m, M_GETFIB(n));
339 icp = mtod(m,
struct icmp *);
343 icp->icmp_gwaddr.s_addr = dest;
351 icp->icmp_pptr = code;
355 icp->icmp_nextmtu = htons(mtu);
364 m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
373 m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
374 KASSERT(M_LEADINGSPACE(m) >=
sizeof(
struct ip),
375 (
"insufficient space for ip header"));
376 m->m_data -=
sizeof(
struct ip);
377 m->m_len +=
sizeof(
struct ip);
378 m->m_pkthdr.len = m->m_len;
379 m->m_pkthdr.rcvif = n->m_pkthdr.rcvif;
380 nip = mtod(m,
struct ip *);
381 bcopy((caddr_t)oip, (caddr_t)nip,
sizeof(
struct ip));
382 nip->ip_len = htons(m->m_len);
389 if (V_error_keeptags)
390 m_tag_copy_chain(m, n, M_NOWAIT);
402icmp_input(
struct mbuf **mp,
int *offp,
int proto)
406 struct mbuf *m = *mp;
407 struct ip *
ip = mtod(m,
struct ip *);
410 int icmplen = ntohs(
ip->
ip_len) - *offp;
412 void (*ctlfunc)(int,
struct sockaddr *,
void *);
425 char srcbuf[INET_ADDRSTRLEN];
426 char dstbuf[INET_ADDRSTRLEN];
428 printf(
"icmp_input from %s to %s, len %d\n",
438 if (m->m_len < i && (m = m_pullup(m, i)) == NULL) {
440 return (IPPROTO_DONE);
442 ip = mtod(m,
struct ip *);
445 icp = mtod(m,
struct icmp *);
446 if (in_cksum(m, icmplen)) {
455 printf(
"icmp_input, type %d code %d\n", icp->
icmp_type,
466 bzero(&icmpsrc,
sizeof(icmpsrc));
468 icmpsrc.sin_family = AF_INET;
469 bzero(&icmpdst,
sizeof(icmpdst));
471 icmpdst.sin_family = AF_INET;
472 bzero(&icmpgw,
sizeof(icmpgw));
474 icmpgw.sin_family = AF_INET;
491 code = PRC_UNREACH_NET;
503 code = PRC_UNREACH_PROTOCOL;
506 code = PRC_UNREACH_PORT;
512 code = PRC_UNREACH_ADMIN_PROHIB;
523 code += PRC_TIMXCEED_INTRANS;
529 code = PRC_PARAMPROB;
535 icp->icmp_ip.ip_hl < (
sizeof(
struct ip) >> 2)) {
540 if (IN_MULTICAST(ntohl(icp->icmp_ip.ip_dst.s_addr)))
544 printf(
"deliver to protocol %d\n", icp->icmp_ip.ip_p);
546 icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
553 if (m->m_len < i && (m = m_pullup(m, i)) == NULL) {
556 return (IPPROTO_DONE);
558 ip = mtod(m,
struct ip *);
559 icp = (
struct icmp *)(
ip + 1);
570 (*ctlfunc)(code, (
struct sockaddr *)&icmpsrc,
571 (
void *)&icp->icmp_ip);
579 if (!V_icmpbmcastecho
580 && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
590 if (V_icmptstamprepl == 0)
592 if (!V_icmpbmcastecho
593 && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
604 icp->icmp_rtime =
iptime();
605 icp->icmp_ttime = icp->icmp_rtime;
609 if (V_icmpmaskrepl == 0)
620 icmpdst.sin_addr =
ip->ip_src;
626 ia = (
struct in_ifaddr *)ifaof_ifpforaddr(
627 (
struct sockaddr *)&icmpdst, m->m_pkthdr.rcvif);
630 if (ia->ia_ifp == NULL)
633 if (V_icmpmaskfake == 0)
636 icp->icmp_mask = V_icmpmaskfake;
637 if (
ip->ip_src.s_addr == 0) {
638 if (ia->ia_ifp->if_flags & IFF_BROADCAST)
639 ip->ip_src =
satosin(&ia->ia_broadaddr)->sin_addr;
640 else if (ia->ia_ifp->if_flags & IFF_POINTOPOINT)
647 return (IPPROTO_DONE);
650 if (V_log_redirect) {
653 src = ntohl(
ip->ip_src.s_addr);
654 dst = ntohl(icp->icmp_ip.ip_dst.s_addr);
655 gw = ntohl(icp->icmp_gwaddr.s_addr);
656 printf(
"icmp redirect from %d.%d.%d.%d: "
657 "%d.%d.%d.%d => %d.%d.%d.%d\n",
658 (
int)(src >> 24), (
int)((src >> 16) & 0xff),
659 (
int)((src >> 8) & 0xff), (
int)(src & 0xff),
660 (
int)(dst >> 24), (
int)((dst >> 16) & 0xff),
661 (
int)((dst >> 8) & 0xff), (
int)(dst & 0xff),
662 (
int)(gw >> 24), (
int)((gw >> 16) & 0xff),
663 (
int)((gw >> 8) & 0xff), (
int)(gw & 0xff));
674 icp->icmp_ip.ip_hl < (
sizeof(
struct ip) >> 2)) {
685 icmpgw.sin_addr =
ip->ip_src;
686 icmpdst.sin_addr = icp->icmp_gwaddr;
689 char dstbuf[INET_ADDRSTRLEN];
690 char gwbuf[INET_ADDRSTRLEN];
692 printf(
"redirect dst %s to %s\n",
697 icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
712 if (icmp_verify_redirect_gateway(&icmpgw, &icmpsrc, &icmpdst,
718 for ( fibnum = 0; fibnum < rt_numfibs; fibnum++) {
719 rib_add_redirect(fibnum, (
struct sockaddr *)&icmpsrc,
720 (
struct sockaddr *)&icmpdst,
721 (
struct sockaddr *)&icmpgw, m->m_pkthdr.rcvif,
722 RTF_GATEWAY, V_redirtimeout);
724 pfctlinput(PRC_REDIRECT_HOST, (
struct sockaddr *)&icmpsrc);
745 return (IPPROTO_DONE);
749 return (IPPROTO_DONE);
756icmp_reflect(
struct mbuf *m)
758 struct ip *
ip = mtod(m,
struct ip *);
763 struct nhop_object *nh;
764 struct mbuf *opts = NULL;
765 int optlen = (
ip->
ip_hl << 2) -
sizeof(
struct ip);
769 if (IN_MULTICAST(ntohl(
ip->ip_src.s_addr)) ||
770 IN_EXPERIMENTAL(ntohl(
ip->ip_src.s_addr)) ||
771 IN_ZERONET(ntohl(
ip->ip_src.s_addr)) ) {
786 CK_LIST_FOREACH(ia,
INADDR_HASH(t.s_addr), ia_hash) {
787 if (t.s_addr ==
IA_SIN(ia)->sin_addr.s_addr) {
798 ifp = m->m_pkthdr.rcvif;
799 if (ifp != NULL && ifp->if_flags & IFF_BROADCAST) {
800 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
801 if (ifa->ifa_addr->sa_family != AF_INET)
804 if (
satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
817 if (V_icmp_rfi && ifp != NULL) {
818 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
819 if (ifa->ifa_addr->sa_family != AF_INET)
832 if (V_reply_src[0] !=
'\0' && (ifp = ifunit(V_reply_src))) {
833 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
834 if (ifa->ifa_addr->sa_family != AF_INET)
856 mac_netinet_icmp_replyinplace(m);
870 cp = (u_char *) (
ip + 1);
872 (opts = m_gethdr(M_NOWAIT, MT_DATA))) {
873 opts->m_len =
sizeof(
struct in_addr);
874 mtod(opts,
struct in_addr *)->s_addr = 0;
879 printf(
"icmp_reflect optlen %d rt %d => ",
880 optlen, opts->m_len);
882 for (cnt = optlen; cnt > 0; cnt -= len, cp += len) {
902 mtod(opts, caddr_t) + opts->m_len, len);
907 cnt = opts->m_len % 4;
909 for (; cnt < 4; cnt++) {
910 *(mtod(opts, caddr_t) + opts->m_len) =
917 printf(
"%d\n", opts->m_len);
922 m_tag_delete_nonpersistent(m);
923 m->m_flags &= ~(M_BCAST|M_MCAST);
943 struct nhop_object *nh;
949 if ((ifa = ifa_ifwithnet((
struct sockaddr *)gateway, 0, fibnum))==NULL)
950 return (ENETUNREACH);
953 if (ifa_ifwithaddr_check((
struct sockaddr *)gateway))
954 return (EHOSTUNREACH);
966 if (!sa_equal((
struct sockaddr *)src, &nh->gw_sa))
968 if (nh->nh_ifa != ifa && ifa->ifa_addr->sa_family != AF_LINK)
972 if (nh->nh_flags & NHF_HOST)
976 if (!(nh->nh_flags & NHF_GATEWAY))
987icmp_send(
struct mbuf *m,
struct mbuf *opts)
989 struct ip *
ip = mtod(m,
struct ip *);
996 icp = mtod(m,
struct icmp *);
1001 m->m_pkthdr.rcvif = (
struct ifnet *)0;
1004 char dstbuf[INET_ADDRSTRLEN];
1005 char srcbuf[INET_ADDRSTRLEN];
1007 printf(
"icmp_send dst %s src %s\n",
1012 (void)
ip_output(m, opts, NULL, 0, NULL, NULL);
1025 t = (atv.tv_sec % (24*60*60)) * 1000 + atv.tv_usec / 1000;
1037 static int mtutab[] = {
1038 65535, 32000, 17914, 8166, 4352, 2002, 1492, 1280, 1006, 508,
1043 size = (
sizeof mtutab) / (
sizeof mtutab[0]);
1045 for (i = 0; i < size; i++)
1046 if (mtu > mtutab[i])
1049 for (i = size - 1; i >= 0; i--)
1050 if (mtu < mtutab[i])
1052 if (mtu == mtutab[0])
1082 {
"icmp unreach response" },
1083 {
"icmp ping response" },
1084 {
"icmp tstamp response" },
1085 {
"closed port RST response" },
1086 {
"open port RST response" },
1087 {
"icmp6 unreach response" },
1088 {
"sctp ootb response" }
1090#define V_icmp_rates VNET(icmp_rates)
1097 V_icmp_rates[i].cr.cr_rate = counter_u64_alloc(M_WAITOK);
1123 (
"%s: which %d", __func__, which));
1129 log(LOG_NOTICE,
"Limiting %s from %jd to %d packets/sec\n",
SYSCTL_UINT(_net_inet_tcp_cc_hystartplusplus, OID_AUTO, minrtt_thresh, CTLFLAG_RW, &hystart_minrtt_thresh, 4000, "HyStarts++ minimum RTT thresh used in clamp (in microseconds)")
VNET_DEFINE(struct cc_algo *, default_cc_ptr)
SYSCTL_STRING(_net_inet_tcp_cc_cdg, OID_AUTO, version, CTLFLAG_RD, CDG_VERSION, sizeof(CDG_VERSION) - 1, "Current algorithm/implementation version number")
#define BANDLIM_ICMP_ECHO
#define BANDLIM_UNLIMITED
#define ICMPSTAT_INC(name)
#define BANDLIM_ICMP_TSTAMP
void kmod_icmpstat_inc(int statnum)
VNET_PCPUSTAT_SYSINIT(arpstat)
SYSCTL_VNET_PCPUSTAT(_net_link_ether_arp, OID_AUTO, stats, struct arpstat, arpstat, "ARP statistics (struct arpstat, net/if_arp.h)")
VNET_PCPUSTAT_DEFINE(struct arpstat, arpstat)
VNET_PCPUSTAT_SYSUNINIT(igmpstat)
char * inet_ntoa_r(struct in_addr ina, char *buf)
struct nhop_object * fib4_lookup(uint32_t fibnum, struct in_addr dst, uint32_t scopeid, uint32_t flags, uint32_t flowid)
int badport_bandlim(int which)
VNET_SYSUNINIT(icmp_bandlimit, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, icmp_bandlimit_uninit, NULL)
static void icmp_bandlimit_init(void)
SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_VNET|CTLFLAG_RW, &VNET_NAME(icmplim), 0, "Maximum number of ICMP responses per second")
static void icmp_bandlimit_uninit(void)
VNET_DEFINE_STATIC(int, icmplim)
VNET_SYSINIT(icmp_bandlimit, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY, icmp_bandlimit_init, NULL)
#define ICMP_UNREACH_NET_PROHIB
#define ICMP_UNREACH_HOST
#define ICMP_UNREACH_NET_UNKNOWN
#define ICMP_UNREACH_NEEDFRAG
#define ICMP_ROUTERADVERT
#define ICMP_ROUTERSOLICIT
int ip_next_mtu(int, int)
#define ICMP_UNREACH_ISOLATED
#define ICMP_UNREACH_TOSHOST
#define ICMP_UNREACH_HOST_PRECEDENCE
int icmp_input(struct mbuf **, int *, int)
#define ICMP_UNREACH_PROTOCOL
#define ICMP_UNREACH_SRCFAIL
#define ICMP_ADVLENPREF(p)
#define ICMP_SOURCEQUENCH
#define ICMP_UNREACH_PRECEDENCE_CUTOFF
void icmp_error(struct mbuf *, int, int, uint32_t, int)
#define ICMP_INFOTYPE(type)
#define ICMP_UNREACH_TOSNET
#define ICMP_UNREACH_HOST_UNKNOWN
#define ICMP_UNREACH_FILTER_PROHIB
#define ICMP_UNREACH_HOST_PROHIB
#define ICMP_UNREACH_PORT
void ip_stripoptions(struct mbuf *m)
struct mbuf * ip_srcroute(struct mbuf *m0)
int ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, struct ip_moptions *imo, struct inpcb *inp)
int rip_input(struct mbuf **, int *, int)
struct sockaddr_in ia_sockmask
struct sockaddr_in ia_dstaddr
struct in_addr ip_src ip_dst